Controlling access to protected resources is of paramount importance in many computing environments. Inadvertent or unauthorized access to a protected resource can corrupt the resource and have other far reaching detrimental effects to the environment. Access is controlled by limiting for a given resource those processes authorized to access the resource. For example, for a particular resource, access authorization is provided to a limited set of processes and processes external to the limited set are unauthorized to access that particular resource.
At times, however, a given process needs access to a resource that it is authorized to access, as well as to a resource that it is unauthorized to access. For example, in a client/server system, a client may request a service of the server and to fulfill that service the server is to have access to one or more resources to which it is authorized, as well as to one or more resources accessible to the client, but not to the server.
Previously, to address this situation, the server created a new client process and under the auspices of the client's identity accessed the desired resources. However, this may not be sufficient, since the new client may also need access to resources of the server.
In order to access the server resources, the identity of the client has to be switched back to the server. That is, the identity of the client is switched back and forth between the identity of the client and the identity of the server depending on which resource is to be accessed at any particular point in time in order to service the client's request.
The switching of identities is disadvantageous, however. For example, it adds complexity to the application code and compromises security. Therefore, a further need exists for a capability that facilitates access to protected resources. As one example, a need exists for a capability that eliminates the switching of identities.